What is the right penetration test for your organisation?

Picking the right penetration test for your business can be difficult. There are many different factors to consider and in 2020, Bulletproof found that 1 in 4 penetration tests revealed a critical flaw. Penetration testing involves analysing an organisation’s IT infrastructure and applications for security vulnerabilities, all performed by a third-party expert. ‘Pen tests’ are also known as ethical hacking or ‘white hat’ hacking and can include testing employees to assess their responses to phishing attempts and misleading emails. Below, we have answered two of the biggest questions we are regularly asked by our customers surrounding Penetration Testing:

What types of penetration test are available?

There are many different types of test; it’s important to discuss the type of test you require with your chosen third party to ensure you are targeting the appropriate aspects of your security systems and getting the results you need. The four main types of penetration test are:

1. Infrastructure or network testing – assesses any flaws in the design and the effectiveness of security controls.
2. Application testing – testing the functionality, process flow and security controls of all your applications (including mobile and web) to discover any interactions that could create security issues.
3. Social engineering prevention services – testing your employees’ security vigilance by simulating a targeted attack by malicious hackers, such as fraudulent emails and web links.
4. ‘Red Team’ testing – designed to simulate a real-world attack, ‘Red Team’ testing is a detailed security assessment that attempts to break down every layer of your physical and cyber security defences.

What approach should I take?

Alongside one of the above tests, there are three main approaches for your penetration test, which are black box, white box or grey box:

1. Black box – very little information is given to the test company, to simulate a real-world hacker and creating a realistic scenario. However, this can mean that not all areas of your infrastructure are tested as they may not be discovered.
2. Grey box – partial information about the target systems is given to the testers, such as basic user level access.
3. White box – full access and details of the infrastructure is shared with the testing company, providing a more thorough test and a comprehensive view of your security issues, often being performed in a shorter timeframe.

Penetration tests are a vital part of a well-managed cyber security strategy, and you will need to find a partner with a trusted reputation as well as the right technical skills to do the job well. A reputable company will help you to choose the right test and approach combination to meet your objectives, as well as providing you with an easy to understand report at the end of the test, detailing any potential risks and areas for improvement. When choosing a pen test partner, look for certifications from industry bodies such as Tigerscheme and CREST to give you peace of mind. We’ve partnered with trusted cyber security provider Bulletproof, who only use CREST-certified and Tigerscheme approved testers to ensure you get an expert cyber security assessment. Bulletproof has a proven track record in finding all types of cyber weaknesses, with 1,000s of tests performed across all industry sectors. To get started, why not fill out our short penetration test quote generator questionnaire here or speak to a member of our team at 0800 8047 256 about your cyber security needs and how Espria can help.